Bug 61055

Summary: chrome.dll!WebCore::RenderInline::addFocusRingRects OOM (7176a6f69e3fa63b4b743761cb216707)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: rniwa
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro none

Berend-Jan Wever
Reported 2011-05-18 08:28:02 PDT
Created attachment 93917 [details] Repro Chromium: https://code.google.com/p/chromium/issues/detail?id=83057 Repro: <script> function f() { document.designMode="on"; document.execCommand("SelectAll", false); document.execCommand("inserthorizontalrule", false); document.execCommand("InsertOrderedList"); document.execCommand("InsertOrderedList", false); document.execCommand("selectall"); document.execCommand("insertimage", false); document.execCommand("SelectAll"); document.execCommand("outdent", false); document.execCommand("insertparagraph"); document.execCommand("SelectAll", false); document.execCommand("removeformat", false); document.execCommand("insertimage", false); document.execCommand("insertorderedlist", false); } </script> <body onload="f()"><u><li>x</li></u></body> This seems to create a loop somewhere that causes addFocusRingRects to call itself over and over, consuming memory each time until the process hits OOM.
Attachments
Repro (729 bytes, text/html)
2011-05-18 08:28 PDT, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2011-05-18 08:38:35 PDT
Here's a variation that causes chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads to use a lot of memory, but not so much as the previous and without a loop. On systems with sufficient RAM, this will not cause a crash. In low memory situations, it will: Repro: <script> function f() { document.designMode="on"; document.execCommand("SelectAll", false); document.execCommand("Underline"); document.execCommand("InsertHorizontalRule", false); document.execCommand("InsertUnorderedList", false); document.execCommand("insertunorderedlist"); document.execCommand("undo"); document.execCommand("inserthorizontalrule", false); document.execCommand("InsertOrderedList"); document.execCommand("InsertOrderedList", false); document.execCommand("selectall"); document.execCommand("insertimage", false); document.execCommand("outdent", false); document.execCommand("insertparagraph"); document.execCommand("SelectAll", false); document.execCommand("removeformat", false); document.execCommand("insertimage", false); document.execCommand("insertorderedlist", false); } </script> <body onload="f()"><pre>x</pre></body> id: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads OOM (df4e2984520457194fecc131e9fbd804) description: Cannot allocate enough memory in chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads stack: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads chrome.dll!WebCore::AccessibilityRenderObject::boundingBoxRect chrome.dll!WebKit::WebAccessibilityObject::boundingBoxRect chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!RenderView::SendPendingAccessibilityNotifications chrome.dll!`anonymous namespace'::TaskClosureAdapter::Run chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!`anonymous namespace'::RunNamedProcessTypeMain chrome.dll!ChromeMain chrome.exe!MainDllLoader::Launch chrome.exe!wWinMain chrome.exe!__tmainCRTStartup kernel32.dll!BaseProcessStart Source: void RenderObject::absoluteFocusRingQuads(Vector<FloatQuad>& quads) { Vector<IntRect> rects; // FIXME: addFocusRingRects() needs to be passed this transform-unaware // localToAbsolute() offset here because RenderInline::addFocusRingRects() // implicitly assumes that. This doesn't work correctly with transformed // descendants. FloatPoint absolutePoint = localToAbsolute(); addFocusRingRects(rects, absolutePoint.x(), absolutePoint.y()); size_t count = rects.size(); for (size_t i = 0; i < count; ++i) { IntRect rect = rects[i]; rect.move(-absolutePoint.x(), -absolutePoint.y()); quads.append(localToAbsoluteQuad(FloatQuad(rect))); } } I'm assuming "count" gets very large, which causes the large allocation.
Berend-Jan Wever
Comment 2 2011-06-20 04:20:13 PDT
*** This bug has been marked as a duplicate of bug 54740 ***
Note You need to log in before you can comment on or make changes to this bug.